The purpose of this document is to detail the steps necessary to add a SLES 10 or openSUSE server to an existing NT domain. This will enable us to configure both Samba and Apache to authenticate users from the domain instead of using local accounts. PAM for Linux would allow this but would also allow anyone to login to the Linux server as well, something we do not want. Using this process, only local server accounts can login to the server console but any Samba shares and Apache web pages are authenticated using Domain credentials.

Configuring Samba

First, we need to edit Samba’s configuration to prepare to join the domain. For reference, we’ll use MOUSE as our domain and CAT.COM as our entity. These of course need to be replaced with your domain and entity settings.

Open your favorite text editor and open /etc/samba/smb.conf

Add the following lines to the [global] config section for the domain to join:

Note: netbios name = What will be reported to the domain and also what users can access with the Windows standard \\SERVERNAME file browsing. server string = What is shown in the NT Domain administration console for this server and can be anything of your choosing. It is not necessary for netbios name and server string to match.

While Samba does not use PAM directly, obey pam restrictions is necessary for the Apache module to function properly.

Open the file /etc/nsswitch.conf and add winbind to the following lines as shown below:

Save both files and restart Samba by entering /etc/rc.d/smb restart in a terminal.

In a terminal window, type the command net join –U ADMINACCOUNT. In our example, ADMINACCOUNT is an account with permission to join the domain. Type the password for the account at the prompt and hit enter. Once entered, you should receive a message stating:
“Joined domain MOUSE”

Verify the Domain trust is valid by typing the command wbinfo –u. After a few seconds, you should have a list of all the Domain user accounts. Similarly, wbinfo –g will give you a list of all the Domain groups. If either command fails to return the list of Domain users or groups, double check the entries in your smb.conf file.

Samba is now configured and able to use NT Domain authentication for shares. You should also see your server in the NT Domain management console. Shares can be secured with valid users = MOUSE\account1 MOUSE\account2, etc. To use an NT group name, type an @ sign instead like so: valid users = @MOUSE\sales. Group names with a space can be used if you encapsulate it in quotes, like so: “@MOUSE\sales execs”.

Configuring Apache

Apache itself requires little configuration other than telling it what modules we need it to load. Unfortunately, the PAM module for Apache is not included nor available from the install
media. Mod_auth_PAM is simple enough to compile and install though. Before beginning, make sure your server has the C/C++ Compiler and Tools package pattern installed. You will also need the following packages:

pam

pam_apparmor

pam-devel

pam-modules

pam_smb

yast2-pam

Download mod_auth_pam from the project’s website located at: <a
href=”http://pam.sourceforge.net/mod_auth_pam/download.html”>http://pam.sourceforge.net/mod_auth_pam/download.html. The Apache 2.0 module is what you’ll need.
For the purpose of user account or primary group authentication, the three patches are not needed.

Uncompress the module using the command tar –xzf mod_auth_pam-2.0-1.1.1.tar.gz. This will create a new folder called mod_auth_pam.

In a terminal window, navigate to the folder mod_auth_pam and run the command make && make
install. This will compile the module and install it into the necessary locations.

Using your favorite text editor, open the file /etc/pam.d/httpd.
Comment out the two lines created by the mod_auth_pam’s install process and add:
auth required /lib/security/pam_winbind.so
account required /lib/security/pam_permit.so
session required /lib/security/pam_permit.soTo enable logging, add debug after pam_winbind.so. This will record any errors from PAM into
the file /var/log/messages.

Open the file /etc/sysconfig/apache2. Scroll through the document and find the section beginning with APACHE_MODULES. Add auth_sys_group and auth_pam inside the list contained within the double quotations. For example: “actions include expires” would become “actions include expires auth_sys_group
auth_pam”

Save both files and restart Apache by running the command /etc/rc.d/apache2 restart.The module supports two methods to add/change Domain authentication to folders served by Apache.

Method 1 is to place the necessary parameters within the <Directory></Directory> declaration in your /etc/apache2/httpd.conf or /etc/apache2/vhosts.d/sitename.conf. This method requires Apache to be restarted when a change is made to take effect.

Method 2 is to place the parameters inside a .htaccess file that’s located in the folder you wish to add authentication. Method 2 is easier for troubleshooting but can be circumvented by simply deleting the .htaccess file.

My recommendation is to use a .htaccess file to test and setup the permissions the way you like, then copy and place the parameters within your <Directory> definition. This will give your site the added security without the need to restart Apache multiple times while testing.

If you want to specify users to have access instead of a group, omit AuthGROUP_Enabled and use require user instead. As with Samba, groups or usernames with spaces will need to be encapsulated with double quotations.

Depending on your chosen method, you may need to restart Apache. Now, when you try to view a page within the protected folder, you should receive a login prompt. If you are unable to login, check the error log for the site as specified by your <Directory> definition and enable logging mode within the file /etc/pam.d/httpd.

(0 votes, average: 0.00 out of 5)You need to be a registered member to rate this post.

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up). It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

I can personally attest that winbind works awesome for authenticating Linux to AD in general. Much simpler than wrestling with LDAP and kerberos

One huge caveat that I’m pretty sure is true: If you have “promoted” Active Directory to “native mode” then authentication with winbind won’t as, as far as I know. If AD is in native mode then your only option is to go to a Kerberos/LDAP based authentcation method

Back to winbind – In my experience you don’t even need to start Samba at boot (i.e. from /etc/init.d) if you’re only using winbind for authentication and you’re not trying to share files with Samba.

kamaleon50, these instructions will only work with NT based domains or mixed mode Windows 2000 domains.
If you are using a Windows 2000 domain in Native mode or a Windows 2003 Active Directory domain, you have to use Kerberos. Winbind does not support the Kerberos protocals needed.